This knowledge base article tends to explain why the warnings like “Incomplete SSL Certificate Chain” or “Broken SSL Chain” occur and how you can quickly fix them.

SSL concepts sound very straightforward in that you deploy an SSL certificate to protect your website and visitors and encrypt their communication to avoid malicious actors’ intervention. Most people do not bother diving deep into SSL concepts as they prefer professionals to handle it for them when it comes to SSL certificate configuration and troubleshooting. Hence, if you are going to fix it yourself, then it is good if you understand a few SSL-related terms alongside fixing it effectively. So, let’s understand what the SSL Chain of Trust is as the chain issue arises when the SSL chain of trust is affected.

Let’s first understand what Certificate Authority (CA) is. A Certificate Authority (CA), or Certification Authority (CA), is an organization that issues and manages digital security certificates, e.g., SSL/TLS certificates. These Certificate Authorities (CA) are the trusted third-party entities (such as DigiCert, Comodo, etc.). Their digital certificates are, in general, the data files to validate the identities of entities such as companies, websites, etc., securely tied with the cryptographic keys, which are used for secure communication on an unsecured network, e.g., the internet. So, when you are discussing these terms, such as Certificate Authorities (CA), root and intermediate certificates, and how SSL certificates are chained, you are referring to a concept called “SSL Chain of Trust”.

Usually, when you get/buy an SSL certificate from CAs, they provide you with your dedicated application certificate for your website and the intermediate certificate. Web browsers maintain the list of trusted root CA certificates, which are preinstalled and occasionally update automatically. So, when a web browser loads your SSL certificate, it starts chaining your application certificate to the intermediate certificate first. Then, it continues chaining until it reaches the trusted CA’s root certificate. So, this whole mechanism forms the SSL Chain of Trust— an ordered list of certificates that permit the end-user client, such as a web browser acting as receiver, to certify that the website’s server acting as the sender and the CA is trustworthy.

Now, let’s understand why the “Incomplete SSL Certificate Chain” or “Broken SSL Chain” occurs.

Following are the reasons why warnings like “Incomplete SSL Certificate Chain” and “Broken SSL Chain” occurs:

We highly recommend verifying your SSL certificate to see if your website has a broken chain issue. It is unnecessary if you do not see such a warning in your browser, then your website visitors do not see it too, so identifying this issue is the first step so you don’t leave your visitors and website vulnerable.

Let’s see how different third-party SSL checking tools hint when the SSL certificate chain is broken.

That’s how Qualys SSL Labs warns when the SSL certificate chain is broken.

That’s how SSL Shopper warns when the SSL certificate chain is broken.

That’s how Why No Padlock warns when the SSL certificate chain is broken.

That’s how Comodo SSL Store warns when the SSL certificate chain is broken.

​

To fix this issue, you must modify/add an active intermediate certificate. If you are a Cloudways client, it is just a matter of copying and pasting instead of running several commands on your server.

First, you need to identify if you possess your intermediate certificate or not. When you buy an SSL certificate from any SSL vendor, they provide you with your dedicated server/application certificate in .crt or .cer file format (e.g., mydomain.crt/mydomain.cer) along with the intermediate certificate in .ca or .ca-bundle file format (e.g., mydomain.ca/mydomain.ca-bundle).

So, if you have your application certificate (.crt/.cer file) along with the intermediate certificate (.ca/.ca-bundle file) present, then you can proceed to Step# 2. Else, if you do not have an intermediate certificate, then you need to generate one, so click “Generate Intermediate Certificate” below to see the steps.

To generate an intermediate certificate, you can use any third-party tool such as What’s My Chain Cert. Once you visit this website, you need to paste your application’s SSL certificate (.crt/.cer file) content first and click Generate Chain, as shown in the screenshot below.

Tip

To view and copy your certificate file content (.crt/.cer file), you can use any text editor, such as Notepad for Windows, TextEdit for Mac. Please note that you need to copy and paste the whole certificate, including —–BEGIN CERTIFICATE —– & —– END CERTIFICATE —– lines.

A downloadable file by your domain name will be available after clicking on the Generate Chain. The downloaded file will be your intermediate certificate.

Now, log in to the Cloudways Platform. Once logged in, navigate to the Servers tab from the top menu bar and choose the target server on which your desired application/website is deployed.

Next, click www, located at the right-hand side of the server box. Select your target application from the drop-down list.

In the Application Management menu, select an SSL Certificate.

Here, you will either see the Re-Install SSL option, or you will see an Install Certificate option.

So, to keep things simple, please select which option you see on your screen from the choices below, as the process varies for both.

Click Install Certificate to install the SSL certificate and its intermediate certificate.

A dialogue box will appear, prompting the Certificate Code and CA Chain.

Please note that these file formats and standards can vary, considering there are many SSL certificate providers with many different formats and standards. Still, if you need help, you can contact us via Live Chat or create a support ticket.

Finally, paste all the necessary details and hit Submit to deploy the certificate with the correct chain.

Tip

To view and copy your certificate file content (.crt/.cer file), you can use any text editor, such as Notepad for Windows or TextEdit for Mac. Please note that you need to copy and paste the whole certificate, including —–BEGIN CERTIFICATE —– & —– END CERTIFICATE —– lines.

That’s it! Your SSL certificate with the intermediate chain should be deployed in a few minutes. You may also see a dialogue box prompting you to force HTTPS redirection if you have not forced it through the Cloudways Platform previously.

Important

If you use any Web Application Firewall (WAF) services such as Cloudflare, Sucuri, etc. or if you have implemented HTTPS redirection already using any application plugin or by modifying the .htaccess file of your application, then you do not need to force HTTPS redirection again from the Cloudways Platform to avoid your website running into redirection loops. But, if you want to force HTTPS redirection from the Cloudways Platform, you need to disable any redirection mechanism working elsewhere first.

So, choose to Enable HTTPS or simply skip it by clicking Not Now. Please note that you can also force HTTPS redirection later as well.

Let’s move to the final step of verifying the SSL certificate to ensure the issue is resolved.

Click Re-Install Certificate to install the SSL certificate and its intermediate certificate.

Now, you will be prompted to enter the CRT and Key content.

Please note that these file formats and standards can vary, considering there are many SSL certificate providers with many different formats and standards. Still, if you need any help, you can always contact us via Live Chat or create a support ticket.

Finally, paste all the necessary details and click SUBMIT to deploy the certificate with the correct chain.

Tip

To view and copy your certificate file content (.crt/.cer file), you can use any text editor, such as Notepad for Windows or TextEdit for Mac. Please note that you need to copy and paste the whole certificate, including —–BEGIN CERTIFICATE —– & —– END CERTIFICATE —– lines.

That’s it! Your SSL certificate with the intermediate chain should be deployed in a few minutes. You may also see a dialogue box prompting you to force HTTPS redirection if you have not forced it through the platform previously.

Important

If you use any Web Application Firewall (WAF) services such as Cloudflare, Sucuri, etc. or if you have implemented HTTPS redirection already using any application plugin or by modifying the .htaccess file of your application, then you do not need to force HTTPS redirection again from the Cloudways Platform to avoid your website running into redirection loops. But, if you want to force HTTPS redirection from the Cloudways Platform, you need to disable any redirection mechanism working elsewhere first.

So, choose to Enable HTTPS or simply skip it by clicking Not Now. Please note that you can also force HTTPS redirection later as well.

Let’s move to the final step of verifying the SSL certificate to ensure the issue is resolved.

This is the final step to verifying your SSL certificate, and we have created a self-explanatory guide for it. Verification is done so you can ensure that changes are successfully made, and the issue is resolved.

That’s it! We hope this article was helpful. If you need any help, then feel free to search your query on Cloudways Support Center or contact us via chat (Need a Hand > Send us a Message). Alternatively, you can also create a support ticket.

Try managed Google Cloud hosting at Cloudways Platform to experience the top-notch performance, simplicity, and flexibility with Cloudways. In addition, Cloudways removes all your server administration and maintenance hassles, so you remain focused on your business.